Why Volunteer Mobile Calls Are a GDPR and Safeguarding Risk

Picture the scene. A volunteer sits down for their shift, picks up their own mobile, and starts making calls on your charity’s behalf. They’re helpful, dedicated, and doing exactly what you asked them to do.

What could possibly be wrong with that?

Quite a lot, as it turns out — and most charities have absolutely no idea.

This isn’t about questioning the intentions of your volunteers. It’s about a GDPR blind spot that affects the vast majority of charities in the UK, and one that the ICO has been increasingly clear about: there is no volunteer exemption from data protection law. When your volunteers handle personal data — including making phone calls on your behalf — your charity is responsible for how that happens.

The legal position, in plain English

Under UK GDPR, your charity is the data controller. That means you’re legally responsible for how personal data is processed — by your staff, your contractors, and yes, your volunteers.

Volunteers are treated exactly the same as employees under data protection law. There is no exemption for smaller organisations, and there is no exemption for good intentions. As data protection consultant Tim Turner has put it bluntly in guidance widely cited across the sector: “There is no volunteer exemption. Using volunteers is a choice you have made, and you are responsible for ensuring that you manage the risks adequately.”

When a volunteer uses their personal phone to call a beneficiary, donor, or service user on your behalf, several things happen simultaneously that you may not have considered.

30% of UK charities experienced a cyber security breach or attack in the 12 months to 2025. Personal devices are one of the most common points of vulnerability — and one of the hardest for a charity to control. (UK Government Cyber Security Breaches Survey, 2025)

What’s actually happening when a volunteer uses their personal phone

Every call made from a personal mobile leaves a data trail — and none of it is under your control.

The beneficiary’s number is stored on someone else’s device

When a volunteer calls a service user or beneficiary, that person’s phone number may be saved to the volunteer’s personal contacts. Their call log will show who they called and when. That is your beneficiary’s personal data, sitting on a device that you don’t own, can’t monitor, and have no control over. If that phone is lost or stolen, or if the volunteer leaves your organisation without wiping their contacts, you have a data breach — and potentially no way of knowing it happened.

The volunteer’s personal number is disclosed to vulnerable people

When a volunteer calls out from their personal mobile, the person receiving that call sees the volunteer’s personal number. For charities working with vulnerable groups — people in mental health crisis, domestic abuse survivors, individuals with complex needs — this creates a real safeguarding problem. A service user may call back on that personal number after a shift ends. The volunteer may receive contact they’re not equipped to handle. And your charity has no visibility over any of it.

There is no call record, and no audit trail

If your charity ever faces a safeguarding concern, a complaint, or an ICO investigation, one of the first things you’ll need is evidence of what was said and when. When calls are made from personal mobiles, that evidence doesn’t exist. You cannot evidence compliance with safeguarding protocols you have no record of.

When the volunteer leaves, the data doesn’t automatically go with them

Data protection law requires that personal data is deleted when there’s no longer a lawful basis to retain it. When a volunteer leaves your organisation, they are legally required to destroy any personal data held on their personal devices. In practice, this almost never happens in a managed way — because most charities don’t have a process for it, and most volunteers don’t know it’s their legal obligation.

The ICO has fined charities including Mermaids (£25,000), HIV Scotland (£10,000), and Central YMCA (£7,500) for data protection failures. In each case, the breach came down to avoidable failures in how personal data was handled — not malicious intent, just inadequate process.

Why this happens in almost every charity

The honest answer is resource and awareness. Most charities don’t have dedicated IT support or a data protection officer on hand. Volunteers are often brought in quickly and given a list of contacts to call. The practical question of what device they use — and what happens to that data — simply doesn’t come up.

There’s also an assumption baked in: that because the volunteer is acting in good faith, the risk is low. But GDPR risk isn’t about intent. It’s about process. A well-meaning volunteer whose phone is stolen, who keeps a service user’s number in their contacts for years after leaving, or who calls a vulnerable person from a number that then becomes their de facto point of contact — none of that involves any bad intent. And all of it creates real exposure for your charity.

The solution is simpler than most charities expect

A modern VoIP phone system solves this problem almost entirely — and it does so in a way that requires nothing extra from your volunteers.

Here’s how it works in practice. Your charity has a VoIP system. Your volunteer downloads a free app to their own smartphone. When they make a call through that app, it routes through your charity’s phone system — so the person they’re calling sees your charity’s number, not the volunteer’s personal mobile. The call is logged centrally in your system. You have a record of it. The volunteer’s personal number is never disclosed.

When the volunteer leaves, you simply remove them from the system. Their access is gone. The call records remain with your charity, where they belong.

For charities working with vulnerable people — which is the majority of the sector — this isn’t a nice-to-have. It’s what proper safeguarding looks like in practice.

What to do if your volunteers are currently using personal phones

Don’t panic — but don’t ignore it either. Here’s a practical starting point:

1. Acknowledge the gap exists. If volunteers are making outgoing calls on your behalf from personal mobiles right now, you have a data governance gap. That’s the starting point for fixing it.
2. Review your data protection policy. Does it explicitly cover how volunteers handle personal data during phone calls? If not, it needs updating. The ICO’s free guidance for charities is a good starting reference.
3. Train your volunteers. NCVO guidance is clear: volunteers who handle personal data must receive data protection training as part of their induction. Most don’t — and most charities don’t know that’s a requirement.
4. Get the right phone system in place. A VoIP system that lets volunteers use your charity’s number from their own phone is the practical, long-term fix. It removes the problem at the source rather than trying to manage it through policy alone.

How SwitchAid helps

We work with over 700 charities across the UK, and the personal mobile issue is one of the most common things we encounter. In many cases, the charity leadership is genuinely unaware it’s happening — because it’s just become normal practice over the years.

When we set up a VoIP system for a charity, volunteer access is built in from the start. Every volunteer who makes calls on your behalf does so through your system, on your number, with a full call log. It’s set up in minutes, requires no new hardware, and costs a fraction of what most charities assume.

If you’d like to understand whether your current setup is creating a GDPR or safeguarding risk, we offer a free, no-obligation review. We’ll tell you honestly what we find — and only recommend making a change if it genuinely makes sense for your organisation.

Book a free review: switchaid.org  |  0191 303 9404  |  info@switchaid.org